Bitcoin Forum
March 29, 2024, 10:21:25 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 »  All
  Print  
Author Topic: Game theory involving Quantum Resistance protocol  (Read 809 times)
pereira4 (OP)
Legendary
*
Offline Offline

Activity: 1610
Merit: 1183


View Profile
October 08, 2019, 11:17:19 PM
Merited by JayJuanGee (1)
 #1

Let's say Google or your favorite triple letter agency (same thing?) come up with a computer of quantum nature which is able to move funds of our guy satoshi. Everyone starts tripping, headlines everywhere, mass hysteria. How would the game theory involved in the necessary changes to protect from this unfold?

Forget about what to do specifically, just think, of all possible candidates, how would the one that gets selected as the fit candidate become the winning fork? We would have people arguing this or that method is the way to go until we are pushed to the limit? It would be segwit on steroids.

I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
1711707685
Hero Member
*
Offline Offline

Posts: 1711707685

View Profile Personal Message (Offline)

Ignore
1711707685
Reply with quote  #2

1711707685
Report to moderator
1711707685
Hero Member
*
Offline Offline

Posts: 1711707685

View Profile Personal Message (Offline)

Ignore
1711707685
Reply with quote  #2

1711707685
Report to moderator
1711707685
Hero Member
*
Offline Offline

Posts: 1711707685

View Profile Personal Message (Offline)

Ignore
1711707685
Reply with quote  #2

1711707685
Report to moderator
Activity + Trust + Earned Merit == The Most Recognized Users on Bitcointalk
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711707685
Hero Member
*
Offline Offline

Posts: 1711707685

View Profile Personal Message (Offline)

Ignore
1711707685
Reply with quote  #2

1711707685
Report to moderator
1711707685
Hero Member
*
Offline Offline

Posts: 1711707685

View Profile Personal Message (Offline)

Ignore
1711707685
Reply with quote  #2

1711707685
Report to moderator
figmentofmyass
Legendary
*
Offline Offline

Activity: 1652
Merit: 1483



View Profile
October 08, 2019, 11:38:32 PM
 #2

I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.

1. implement quantum resistant signatures
2. give people 5-10 years to move their coins
3. destroy all non quantum resistant outputs

move 'em or lose 'em! once the fork occurs, all previously lost coins would be permanently destroyed. this provides the added bonus of being a one-time audit of the active supply.

do i see this actually happening? not really, i just think that's the best case scenario. there seems to be a lot of inertia around this issue. a lot people seem to think "no biggie" about a huge chunk of the supply being vulnerable, which boggles my mind.

Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3068



View Profile
October 09, 2019, 12:19:18 AM
Merited by fillippone (1)
 #3

I really wonder about this pretty much daily

really?


Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe.

supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

That's the reason why Bitcoin "addresses" are not the ECDSA public key, but a RIPEMD160 hash of the public key. Until the BTC is spent, the public key is protected from actual publicity, but spending involves revealing the public key in order to validate the transaction.

So, in the event of QC blockchain-ogeddon, funds stored at addresses that have never been spent from will not (theoretically) be vulnerable. However, at least 1 developer has suggested this assumption is not as safe as was assumed when this was devised, I do not remember the details however


What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.

I think @theymos actually did bring this up some time ago (and people mostly didn't see what the point was, and accused him of being jealous of satoshi or something or other)

The fact is, early BTC from ~ 2009 did not have a hash to protect the public key, those mined coins have their public key directly exposed on the blockchain right now. A known quantum computing algorithm can be used to efficiently spend those coins, which includes satoshi's stash (it's a guess who it all belongs to, certainly satoshi must own some though). The only thing stopping this is that the hardware doesn't exist. Yet.

which is why making satoshi's coins unspendable has merit, to anyone developing QC's, 1,000,000 BTC is effectively the bounty for keeping the details of progress in their work very quiet. If anyone is in the race to develop cutting edge QCs, the sort of people who ought not to have that much power are definitely in contention. Of course, there will always be loud screeches that "satoshi should be allowed to keep his/their BTC", but in this scenario, satohsi loses it either way if action is not taken well in advance. because the coins haven't moved, one could argue satoshi is either dead or confident it won't happen.

Vires in numeris
pereira4 (OP)
Legendary
*
Offline Offline

Activity: 1610
Merit: 1183


View Profile
October 09, 2019, 02:04:09 AM
Merited by fillippone (1)
 #4


supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

That's the reason why Bitcoin "addresses" are not the ECDSA public key, but a RIPEMD160 hash of the public key. Until the BTC is spent, the public key is protected from actual publicity, but spending involves revealing the public key in order to validate the transaction.

So, in the event of QC blockchain-ogeddon, funds stored at addresses that have never been spent from will not (theoretically) be vulnerable. However, at least 1 developer has suggested this assumption is not as safe as was assumed when this was devised, I do not remember the details however

I think you are talking about Peter Wiulle:


Quote
Any unconfirmed transaction in flight exposes public keys, so if a QC exists, at least moving coins around safely becomes impossible. Further, a massive fraction of the currency supply can be taken. Lastly, you likely have exposed your own pubkey already.

Quote
Given all those hypothetical attack models that pubkey hashing doesn't help with at all, I think it's fair to say that Bitcoin as it exists today is not quantum secure, period.

It doesn't sound good. The thing with Bitcoin is that in order for it to be "gold 2.0" we must avoid clusterfucks like this, or if they happen, it must be at least an once in a lifetime event. Moving huge sums is a big PITA for serious permahodlers.



I think @theymos actually did bring this up some time ago (and people mostly didn't see what the point was, and accused him of being jealous of satoshi or something or other)

The fact is, early BTC from ~ 2009 did not have a hash to protect the public key, those mined coins have their public key directly exposed on the blockchain right now. A known quantum computing algorithm can be used to efficiently spend those coins, which includes satoshi's stash (it's a guess who it all belongs to, certainly satoshi must own some though). The only thing stopping this is that the hardware doesn't exist. Yet.

which is why making satoshi's coins unspendable has merit, to anyone developing QC's, 1,000,000 BTC is effectively the bounty for keeping the details of progress in their work very quiet. If anyone is in the race to develop cutting edge QCs, the sort of people who ought not to have that much power are definitely in contention. Of course, there will always be loud screeches that "satoshi should be allowed to keep his/their BTC", but in this scenario, satohsi loses it either way if action is not taken well in advance. because the coins haven't moved, one could argue satoshi is either dead or confident it won't happen.

Yeah it was theymos and he got hated bigly with his approach. The way I see is that the stash should be re-introduced slowly as mining rewards, or at least that's how I should have coded it since day 1, since if you are the only guy mining in the world, there isn't even a network and you would get a disproportionate amount of coins as the single participant on the system. At the same time I also think he took the bigger risk, so it should be rewarded... tough call.
pooya87
Legendary
*
Offline Offline

Activity: 3402
Merit: 10435



View Profile
October 09, 2019, 03:07:57 AM
 #5

supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

hashes could never be "reversed" and it is not exactly about efficiency it is about virtually unlimited solutions. think of it like this, if i say i have a big number that is the sum of 10 other numbers you will never be able to guess what those 10 values were because there simply is too many possibilities.

the difference between hashing and ECC is that ECC is pure math so there could some day be a solution to solve that reverse mathematical problem (ECDLP) in a faster way but hashing is a complete chaotic algorithm where we take an input "mutate" it, toss the bits around and come up with a neat result. so the only way to attack hashing algorithms has always been to find collision meaning if i said "a85845e696ee7aac1b012d611edcbd6fbf1884c5" is my SHA1 hash you will never be able to find out what message i hashed but you could find another message some day (you still can't do it today even for SHA1) that could give the same result.

..JAMBLER.io..Create Your Bitcoin Mixing
Business Now for   F R E E 
▄█████████████████████████████
█████████████████████████
████▀████████████████████
███▀█████▄█▀███▀▀▀██████
██▀█████▄█▄██████████████
██▄▄████▀▄▄▄▀▀▀▀▀▄▄██████
█████▄▄▄██████████▀▄████
█████▀▄█▄██████▀█▄█████
███████▀▄█▀█▄██▀█▄███████
█████████▄█▀▄█▀▄█████████
█████████████████████████
█████████████████████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
      OUR      
PARTNERS

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
▄█████████████████████████████
████████▀▀█████▀▀████████
█████▀█████████████▀█████
████████████████████████
███████████████▄█████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████▀█████████
████████████████████████
█████▄█████████████▄█████
████████▄▄█████▄▄████████
▀█████████████████████████████
█████████████████████████████████████████████████
.
   INVEST   
BITCOIN

.
█████████████████████████████████████████████████
████▄
██
██
██
██
██
██
██
██
██
██
██
████▀
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1174

Always remember the cause!


View Profile WWW
October 09, 2019, 04:27:47 AM
Last edit: October 09, 2019, 04:58:12 AM by aliashraf
 #6

OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

Implementing an efficient QC resistant signing algorithm is not much of a hurdle but the problem of 'old' wallets and their owners failing to 'migrate' to brand new QC resistant addresses is a serious one.

I think I have a solution for this later problem which covers the case with Satoshi coins:

The problem
Given the following conditions, find a way to protect people from losing their money:
1-An established QC resistant algorithm being implemented in bitcoin and ready to accept funds from legacy addresses.

2-A number of 'old' wallets with a considerable amount of bitcoins still not migrated to the new scheme.

3-QC technology being matured enough to put wallets with exposed public keys in serious risk even in their transient state of exposure in an unconfirmed txn.


For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.
squatter
Legendary
*
Offline Offline

Activity: 1666
Merit: 1196


STOP SNITCHIN'


View Profile
October 09, 2019, 06:01:15 AM
 #7

OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

There are quite a lot, actually:

Quote
At least 5M BTC is stored in outputs with known public key that I could identify, and there are probably millions more.

I can't begin to verify the numbers but it sounds like 30-50% of the existing supply could still be vulnerable even if unused P2PKH addresses are safe. With that much loot on the table -- an amount that surpasses the entire global bid side many times over -- anyone with access to this powerful of QC would have incentive to crack and sell outputs as quickly as possible.

aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1174

Always remember the cause!


View Profile WWW
October 09, 2019, 09:35:34 AM
 #8

OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

There are quite a lot, actually:

Quote
At least 5M BTC is stored in outputs with known public key that I could identify, and there are probably millions more.

I can't begin to verify the numbers but it sounds like 30-50% of the existing supply could still be vulnerable even if unused P2PKH addresses are safe. With that much loot on the table -- an amount that surpasses the entire global bid side many times over -- anyone with access to this powerful of QC would have incentive to crack and sell outputs as quickly as possible.
Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

I could even propose to pre-empt exposed public keys after a deadtime once the QC resistant fork is activated. It may look reasonable to mitigate the chaotic side-effects of such a robbery and a strengthening measure for bitcoin.
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3068



View Profile
October 09, 2019, 09:42:09 AM
Merited by Welsh (2)
 #9

I think you are talking about Peter Wiulle:


Quote
Any unconfirmed transaction in flight exposes public keys, so if a QC exists, at least moving coins around safely becomes impossible. Further, a massive fraction of the currency supply can be taken. Lastly, you likely have exposed your own pubkey already.

Quote
Given all those hypothetical attack models that pubkey hashing doesn't help with at all, I think it's fair to say that Bitcoin as it exists today is not quantum secure, period.

It doesn't sound good.

yep, although there's at least 1 solution I can think of:

assuming you trust a miner (and it could be yourself if you have the hashing power, of course), you can give your transaction to a miner out of band, then the public key is never exposed until the tx moving your funds to a QC resistant keypair is already confirmed in a block. That would (hopefully!!!) be a one-off event, but hair-raising (and potentially expensive) all the same


Yeah it was theymos and he got hated bigly with his approach. The way I see is that the stash should be re-introduced slowly as mining rewards, or at least that's how I should have coded it since day 1, since if you are the only guy mining in the world, there isn't even a network and you would get a disproportionate amount of coins as the single participant on the system. At the same time I also think he took the bigger risk, so it should be rewarded... tough call.

I think the only solution is to render the whole P2PK supply unspendable, and to do that with a the longest possible period of advanced warning to give the holders of those private keys sufficient time to move their money. See, we're having a civil conversation about this, yet we already disagree!!! tough call indeed.


hashes could never be "reversed" and it is not exactly about efficiency it is about virtually unlimited solutions. think of it like this, if i say i have a big number that is the sum of 10 other numbers you will never be able to guess what those 10 values were because there simply is too many possibilities.

the difference between hashing and ECC is that ECC is pure math so there could some day be a solution to solve that reverse mathematical problem (ECDLP) in a faster way but hashing is a complete chaotic algorithm where we take an input "mutate" it, toss the bits around and come up with a neat result. so the only way to attack hashing algorithms has always been to find collision meaning if i said "a85845e696ee7aac1b012d611edcbd6fbf1884c5" is my SHA1 hash you will never be able to find out what message i hashed but you could find another message some day (you still can't do it today even for SHA1) that could give the same result.

okay, I am aware of the logic underlying all of this, although you are more familiar with the details.

consider though: mathematicians/computer scientists/cryptographers working for powerful companies/organizations are not compelled to release every breakthrough they discover publicly. What if an efficient solution to what appears to be a brute forcing problem has in fact been discovered? Is that not the point of QC's anyway, to provide efficient solutions for which binary arithmetic Von Neumann machines cannot? Maybe some class of hashing algorithm could be developed to be resistant to such a thing, I simply do not know, but it seems to me that few others can really claim to _know_ either.

People always say "that's impossible", until someone pitches up one day and provides the solution. The fact that we are on this forum having this discussion is the result of exactly that happening: cypherpunks tried to create a Bitcoin, and their imagination for designing it failed several times until satoshi. People literally _couldn't_ believe satoshi initially, Hal Finney hung out with satoshi for a while, contemplating the details of his design, in a way to convince himself that there was not something satoshi was missing. Only once people like Wuille, Maxwell and Todd (as well as Szabo, Dai, and Back on the sidelines) arrived on the scene to contribute to validating the concept did people really begin to get over the disbelief.

*** the following is, to the best of publicly available knowledge, NOT POSSIBLE ***
There would be no such luxury under a "SHA reversed by quantum computers" scenario, one minute a single Bitcoin blockchain would exist, the next there would be infinite Bitcoin blockchains, and every Bitcoin client would have their poor little CPUs overloaded trying to figure out which one was the most-worked valid chain Grin
*** the above is to the best of publicly available knowledge, NOT POSSIBLE ***

Vires in numeris
DaCryptoRaccoon
Hero Member
*****
Offline Offline

Activity: 1187
Merit: 568


OGRaccoon


View Profile
October 09, 2019, 09:57:30 AM
 #10


which is why making satoshi's coins unspendable has merit

Really? and who would give you the permissions to do such a thing?

Lets just think for a second what is satoshi is not dead? and actually the coins ARE spendable.

There is so much assumption around the coins but one key thing to remember is if you don't hold it you don't own it.

No one has the right to touch the satoshi coins other than the owner this is not the first topic that has made comments to the effect of lets just burn or revoke the from the chain.

If satoshi coins ever are community moved / revoked some how then bitcoin will fail. no if's no but's it will be a community based attack in my view.

I'm very surprised to see this comment from you Carlton Banks.


Raccoon Stuff
Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3068



View Profile
October 09, 2019, 10:08:49 AM
 #11

^^^ trolling ^^^

you don't really expect me to reply to your out-of-context weak BS, right? Roll Eyes


there's a good reason to do it, but I _did not_ even commit myself to it, I presented both sides, calmly

you started an argument, deliberately, where there was no argument.

Vires in numeris
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1174

Always remember the cause!


View Profile WWW
October 09, 2019, 12:15:18 PM
 #12

consider though: mathematicians/computer scientists/cryptographers working for powerful companies/organizations are not compelled to release every breakthrough they discover publicly. What if an efficient solution to what appears to be a brute forcing problem has in fact been discovered? Is that not the point of QC's anyway, to provide efficient solutions for which binary arithmetic Von Neumann machines cannot? Maybe some class of hashing algorithm could be developed to be resistant to such a thing, I simply do not know, but it seems to me that few others can really claim to _know_ either.
Above, Pooya has excelently described why sha is different essentially being a hash function and not a number theory problem in NP not solvable by deterministic sequential machines e.g. Turing machines and vulnerable to quantum computers and Shor algorithm, just a category that  ECDSA belongs to. It is just wrong to compare sha256 with ECDSA.

Please stop posting about topics you have no clue about. If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment. To make it crystal clear: Bitcoin will be totally destroyed by such a hypothetical (surely impossible) development.  

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.

Carlton Banks
Legendary
*
Offline Offline

Activity: 3430
Merit: 3068



View Profile
October 09, 2019, 12:43:48 PM
Last edit: October 09, 2019, 06:48:20 PM by Carlton Banks
 #13

If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment.

you are speaking as the person who infamously claimed that SHA-2 ASICS broke SHA-2:

Actually ASIC is a crack against cryptography, it has always been since WWII and nothing has changed, when a cryptographic algorithm get ASICed, it should be considered a failure and fixed instead of being justified as 'inevitable', 'not a big deal' or even 'a good thing'!
It is just ridiculous how is it possible to have a cryptographic system of any kind being cracked by a specialized circuit and considered safe meanwhile?



have you forgot which account you're logged into?? Grin

Edit: the above quote demonstrates @aliashraf is a (lazy) liar

Vires in numeris
Saidasun
Sr. Member
****
Offline Offline

Activity: 334
Merit: 275


View Profile
October 09, 2019, 02:04:28 PM
 #14

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.


This is an exaggeration because for encryption to work you have to be confident that it will do the job for a number of years and that was true when ECDSA was developed and when it was implemented into Bitcoin. It is currently 'bullet proof' even if quantum computing is making some significant gains in the last couple of years it is still currently bullet proof and saying that cryptographers were never really confident in the protocol used inside Bitcoin is a bit of a overstretch.
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1174

Always remember the cause!


View Profile WWW
October 09, 2019, 02:20:15 PM
Last edit: October 09, 2019, 06:41:50 PM by achow101
 #15

If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment.

you are speaking as the person who infamously claimed that SHA-2 ASICS broke SHA-2

have you forgot which account you're logged into?? Grin
ASICs didn't break sha2 they broke bitcoin PoW, there is a difference that its understanding is beyond your expertise in the field. Wink

Are you a stalker of me?  Cheesy

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.


This is an exaggeration because for encryption to work you have to be confident that it will do the job for a number of years and that was true when ECDSA was developed and when it was implemented into Bitcoin. It is currently 'bullet proof' even if quantum computing is making some significant gains in the last couple of years it is still currently bullet proof and saying that cryptographers were never really confident in the protocol used inside Bitcoin is a bit of a overstretch.
No exaggerations there. Any single cryptographer on the planet have been always aware of the vulnerability of ECDSA to technology advancements not mentioning implementation backdoors and the fact that it was originally an NSA product. Actually, instead of bitcoin getting credit from ECDSA, it was bitcoin that promoted it as a reliable digital signature algorithm by providing a huge incentive and tempting adversaries for breaking its secp256k1 implementation of ECDSA.

As you you've correctly mentioned in your post, ECDSA-secp256 has always been understood as a few decades reliable signature scheme and it is why I think that destroying Satoshi's P2PK coins in case s/he wouldn't migrate them to safe wallets in due time, shouldn't be considered unfair. As a cryptographer, he should have been aware of the existence of an "expire-date" for his public keys.
pereira4 (OP)
Legendary
*
Offline Offline

Activity: 1610
Merit: 1183


View Profile
October 09, 2019, 04:01:31 PM
 #16

OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

Implementing an efficient QC resistant signing algorithm is not much of a hurdle but the problem of 'old' wallets and their owners failing to 'migrate' to brand new QC resistant addresses is a serious one.

I think I have a solution for this later problem which covers the case with Satoshi coins:

The problem
Given the following conditions, find a way to protect people from losing their money:
1-An established QC resistant algorithm being implemented in bitcoin and ready to accept funds from legacy addresses.

2-A number of 'old' wallets with a considerable amount of bitcoins still not migrated to the new scheme.

3-QC technology being matured enough to put wallets with exposed public keys in serious risk even in their transient state of exposure in an unconfirmed txn.


For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.


I get your point but mining is supposed to be a neutral thing where you don't have to worry about "picking the correct miner", it should be as simple as sending the transaction, but with a QC machine out there lurking in the shadows you can no longer do this. The problem is miners are anonymous, I can't see a way to rank "good miners" from bad miners. Nobody really has connections with CEOs of big mining farms to really know their agenda. Mining your own transactions is obviously not an option for 99% of users. There's also the theoretical scenario in which miners sense too much of a menace and decide to become bad actors while shorting Bitcoin's price. If we act and plan ahead those cannot happen because the incentives model would still be in place but in a moment of confusion and chaos and the fears of millions of BTC being or not compromised we may see miners freaking out, hence the whole thing must be ready before it happens. The question is right now this is probably sci-fi tier so just like climate change, you'll have a case for both "no need to do anything drastic now" and "start acting now". Result = no consensus, and no planning ahead.
mda
Member
**
Offline Offline

Activity: 144
Merit: 13


View Profile
October 09, 2019, 05:57:20 PM
 #17

Relax, people. No need to build the mining farm yet.

https://royalsocietypublishing.org/doi/pdf/10.1098/rsos.180410
squatter
Legendary
*
Offline Offline

Activity: 1666
Merit: 1196


STOP SNITCHIN'


View Profile
October 09, 2019, 06:23:46 PM
Merited by AverageGlabella (2)
 #18

Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development. One of the reasons a fork like this should be done over several years is because it'll take that long just for people to gradually update their nodes. If a QC broke Bitcoin tomorrow, no emergency fork could repair the harm done by today's key practices.

This problem is compounded by the fact that quantum resistant signatures Like Lamport are extremely heavy, so we have incentive to delay a fork as long as possible:
Quote
The size of Lamport public key and signature together is 231 times (106 bytes vs 24KB) more than the ECDSA public key and signature.

I'm not sure what alternatives there are.

AverageGlabella
Legendary
*
Offline Offline

Activity: 1232
Merit: 1080


View Profile
October 09, 2019, 06:43:36 PM
Merited by Welsh (6), joniboini (2)
 #19

I'm sick to death with these "quantum computers is the end of Bitcoin" type posts. The community is so misinformed about how quantum computers works its very worrying because if quantum computers does not destroy Bitcoin which it wont I think this false propaganda from so called experts will destroy the public opinion about Bitcoin.

I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
If it comes a time where Bitcoin is under threat from quantum computers we will have multiple forks in the chain no doubt because the difference of opinion from the members of the Bitcoin community as well as the miners will cause uncertainty. This will  be problematic in the short term and depending on public perception after the media reporting on it could have a medium effect on Bitcoin acceptance.  
Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
No one on this forum has a clear vision of how we are going to deal with it because there are multiple different routes to take all with their own little side effects on the community and Bitcoin but one thing is for sure we have multiple years to figure this out. This talk about quantum computers destroying Bitcoin and asking what are the steps to countering quantum computers is discussed at least weekly on this forum so there definitely is enough discussion about it.
1. implement quantum resistant signatures
2. give people 5-10 years to move their coins
3. destroy all non quantum resistant outputs

move 'em or lose 'em! once the fork occurs, all previously lost coins would be permanently destroyed. this provides the added bonus of being a one-time audit of the active supply.

do i see this actually happening? not really, i just think that's the best case scenario. there seems to be a lot of inertia around this issue. a lot people seem to think "no biggie" about a huge chunk of the supply being vulnerable, which boggles my mind.
Force people who use Bitcoin wallet software which is connected to the internet to update to the chain with quantum resistant signatures. However this is not a perfect solution to those that are holding their coins in cold storage and might not follow Bitcoin news regular enough.

It doesn't sound good. The thing with Bitcoin is that in order for it to be "gold 2.0" we must avoid clusterfucks like this, or if they happen, it must be at least an once in a lifetime event. Moving huge sums is a big PITA for serious permahodlers.
Why would we want to emulate gold and become gold 2.0? Quantum computers is a once in life time event and will probably not be an issue for many people because they can simply switch with the chain once all the hard work has been done by the developers. I'm calling it now there will be a massive divide between the developers and each developer will be pushing their own motive induced way of dealing with this and that is the biggest threat of them all and not these quantum computers.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development. One of the reasons a fork like this should be done over several years is because it'll take that long just for people to gradually update their nodes. If a QC broke Bitcoin tomorrow, no emergency fork could repair the harm done by today's key practices.

Very good point and thats the only argument I see about quantum computers not being a problem right now and does persuade we a little bit to consider starting the development towards a quantum resistant Bitcoin earlier than I had in my head.  I still think the perfect solution does not exist and whatever way we go there will be instability in Bitcoin and people will lose their coins but I'm talking way in the future.
aliashraf
Legendary
*
Offline Offline

Activity: 1456
Merit: 1174

Always remember the cause!


View Profile WWW
October 09, 2019, 06:50:47 PM
Last edit: October 09, 2019, 07:13:29 PM by aliashraf
Merited by Welsh (3), ABCbits (2), joniboini (2)
 #20

OP,
...
For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.


I get your point but mining is supposed to be a neutral thing where you don't have to worry about "picking the correct miner", it should be as simple as sending the transaction, but with a QC machine out there lurking in the shadows you can no longer do this. The problem is miners are anonymous, I can't see a way to rank "good miners" from bad miners. Nobody really has connections with CEOs of big mining farms to really know their agenda. Mining your own transactions is obviously not an option for 99% of users. There's also the theoretical scenario in which miners sense too much of a menace and decide to become bad actors while shorting Bitcoin's price. If we act and plan ahead those cannot happen because the incentives model would still be in place but in a moment of confusion and chaos and the fears of millions of BTC being or not compromised we may see miners freaking out, hence the whole thing must be ready before it happens. The question is right now this is probably sci-fi tier so just like climate change, you'll have a case for both "no need to do anything drastic now" and "start acting now". Result = no consensus, and no planning ahead.
I totally agree with your concerns about how bad the QC issue is treated by the community, it is not the only issue that is open in bitcoin to be fair.
But for now, let's forget about governance problems for the time being and be optimistic about some sort of consensus being reached to handle QC problem, the question would be whether we could do anything serious about it?

My answer is definitively YES:
1- Implement a QC resistant digital signature algorithm in bitcoin with a soft fork.

2- Draw two deadlines in the fork for wallets to migrate:
  • ِFirst deadline(n blocks after the fork):
    • No legacy format outputs will be included in the blockchain after the nth block.
    • All P2PK outputs should migrate to new addresses within n blocks, otherwise, they are considered void and no miner would confirm transactions with such inputs after n blocks.
  • Second deadline(m>n blocks after the fork):
    • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

3- Let people with abandoned p2pkh UTXOs with an uncompromised public key that are still active after the second deadline to mine their transactions privately by leasing/installing hash power or by buying private service from known responsible miners/pools.

As of your perception of miners as being anonymous, actually most of the largest mining farms/pools are anything other than anonymous and your point about ordinary people not being able to leas such a hash power can be fixed with providing something like a private transaction confirmation service by pools/miners.
Pages: [1] 2 3 4 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!